Re: When I try to create an alert with the Splunk ...

joemaz95 · ‎07-18-2018

I've been playing with the different properties to see if something would trigger a report/saved search becoming an alert with no luck. Any guidance on how to create an alert via the API would be much appreciated.

parameters = {'name': 'test-alert1',
'search': 'index="_audit"',
'description': 'test alert',
'action.email': False,
'action.email.sendresults': None,
'action.email.to': '',
'action.populate_lookup': False,
'action.rss': False,
'action.script': False,
'action.summary_index': False,
'actions': '',
"action.slack_webhook_alert.param.slack_message": "test",
"action.sn_sec_multi_incident_alert.param.shortdescription": "test",
"action.sn_sec_multi_incident_alert.param.ci": "test",
"action.sn_sec_multi_incident_alert.param.category": "Splunk",
"action.sn_sec_multi_incident_alert.param.source": "test",
"action.sn_sec_multi_incident_alert.param.priority": "3",
"action.sn_sec_multi_incident_alert.param.description": "test",
'alert.digest_mode': True,
'alert.expires': '24h',
'alert.managedBy': '',
'alert.severity': '3',
'alert.suppress': None,
'alert.suppress.fields': '',
'alert.suppress.period': '',
'alert.track': False,
'alert_comparator': 'greater than',
'alert_condition': '',
'alert_threshold': '0',
'alert_type': 'always',
'allow_skew': '0',
'auto_summarize': False,
'is_visible': '1',
'dispatch.earliest_time': '-30m',
'is_scheduled': '1',
'cron_schedule': '5 ',
'max_concurrent': '1',
"action.sn_sec_multi_incident_alert": "1",
"actions": "sn_sec_multi_incident_alert",
"action.slack_webhook_alert": "1",
"action.slack_webhook_alert.param.slack_webhook": "INSERT WEBHOOK",
"actions": "slack_webhook_alert",
"action.slack_webhook_alert": "1"
}

res = requests.post(
"https://{host}/services/saved/searches".format(host=host),
headers=headers, verify=False, data=parameters)

melkenneth03 · ‎01-19-2023

You need to send a POST request with the following parameters in the body:

name	<ANY NAME>
alert_comparator	greater than
alert_threshold	0
search	<YOUR SEARCH IN SPL>
alert_type	number of events
is_scheduled	1
cron_schedule	<YOUR CRON SCHEDULE> Example: /10 * * *

smeier · ‎10-15-2018

I believe the only difference between a report and an alert is whether there is an alert condition specified.

chandrasekharko · ‎04-11-2019

I ran into same exact issue. Is there a way that we can create an alert with API? What I read in the documentation is anything whatever we perform in Splunk UI can be done through API. But, I cloud not figure out yet how to make it an alert instead of a report. Any solution for this?

smeier · ‎04-11-2019

I'm not sure if this helps- but I believe that setting alert_type to "always" is what causes Splunk to consider it be a report.

This answer kind of talks about it- https://answers.splunk.com/answers/566648/is-there-a-way-to-convert-a-scheduled-report-to-an.html maybe it will help.

jasonsigman · ‎07-18-2018

I am also running into this with Splunk 7.1.2

When I try to create an alert with the Splunk Rest API it just makes a report instead?

alert action

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?